Closed Bug 1672481 Opened 4 years ago Closed 4 years ago

Cross-origin resource sharing

Categories

(Firefox :: Sync, defect)

defect

Tracking

()

RESOLVED INVALID

People

(Reporter: noumansheikh732, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36

Steps to reproduce:

Request:
POST /1.5/173640239/storage/addons?batch=true&commit=true HTTP/1.1
Host: sync-1-us-west1-g.sync.services.mozilla.com
User-Agent: Firefox/83.0 (Windows NT 10.0; Win64; x64) FxSync/1.85.0.20201020173725.desktop
Accept: application/json;q=0.9,/;q=0.2
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
authorization: Hawk id="eyJ1aWQiOiAxNzM2NDAyMzksICJub2RlIjogImh0dHBzOi8vc3luYy0xLXVzLXdlc3QxLWcuc3luYy5zZXJ2aWNlcy5tb3ppbGxhLmNvbSIsICJleHBpcmVzIjogMTYwMzI4MTYxMiwgImZ4YV91aWQiOiAiZjkzYjkyNjZiZGE1NDhiNjliNzExZTJiN2NhMGE3ZDIiLCAiZnhhX2tpZCI6ICIxNTc5MDk5OTQ1Mzk3LUZTaVdDbWswN2dnUS0tLUxqeXhiNXciLCAiaGFzaGVkX2Z4YV91aWQiOiAiYWU0NGJjMzdmYjY5MDA4ZTIxY2EwNGRhOGMyNzI0NGEiLCAiaGFzaGVkX2RldmljZV9pZCI6ICJlMGUwZGY4MWUyNDYyYzYwNGUzYTNiNjdjYjY1NWVjNyIsICJzYWx0IjogIjE2OTE5NiJ9OwAnDG23qfmLW6BAVsn5HXn6OMf7VCOb4BGhYWDpDN4=", ts="1603278016", nonce="jAAJIQX4zWc=", mac="BBTfzRU4rK2w+4NYI2kfqnL3FxehwbyMNJiLMzMfH8M="
content-type: text/plain
x-if-unmodified-since: 0
Origin: null
Content-Length: 459
Connection: close
Pragma: no-cache
Cache-Control: no-cache

[{"payload":"{"ciphertext":"TSgfmUidpTV0FMpr7YqvHytmGXXFdaGDDz4Nt0XEVSAKSYL+lr5LaNmO48wWHTMyuq+xu5ex1yHdcfy80Q/TeIhbfDY1VvQMsicJrmPrd8mnjAdJSVyHJnZGQcu2densdZsH3wUltf1+HSBgFWuSHE+pEifHiUMj3WAvder0VvJ5hHuG6DZptrv89XBrGg/zCbW3o0AOj8P73UqDPKT3+fGCIa8km2B+mQNnvCzFmho=","IV":"xEJ52bP7uC8koxQqmYkGiQ==","hmac":"328ae1715dc6abd2c76fef42f8d8578aeef9f09981ac2ad2e7f95ecc9bd6e16b"}","id":"{d046d9fa-3019-417b-a77d-d4f48247d3ce}","modified":1603275271.788}]

Actual results:

Response:
HTTP/1.1 200 OK
Server: openresty/1.15.8.2
Date: Wed, 21 Oct 2020 11:00:17 GMT
Content-Type: application/json
Content-Length: 91
vary: Origin
access-control-allow-origin: null
x-last-modified: 1603278017.80
x-weave-timestamp: 1603278017.80
Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Max-Age: 1728000
Access-Control-Allow-Headers: DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,X-Conditions-Accepted
Via: 1.1 google
Alt-Svc: clear
Connection: close

{"failed":{},"modified":1603278017.80,"success":["{d046d9fa-3019-417b-a77d-d4f48247d3ce}"]}

Expected results:

Severity of this bug is very high.
Assets:
8 instances of this issue were identified
/1.5/173640239/storage/addons
/1.5/173640239/storage/clients
/1.5/173640239/storage/extension-storage
/1.5/173640239/storage/forms
/1.5/173640239/storage/history
/1.5/173640239/storage/meta/global
/1.5/173640239/storage/passwords
/1.5/173640239/storage/tabs
Explain:
Run burpsuite and intercept the request and as you can see in request when i add origin:null and hit enter so in response you can see access-control-origin: null occur it shows that this instance is vulnerable with CORS.

Issue remediation:
Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of trusted domains.

Impact:
Attacker would treat many victims to visit attacker's website, if victim is logged in, then his personal information is recorded in attacker's server

I don't entirely understand what is happening here, but it looks related to Sync so I'm going to move it there.

Component: Untriaged → Sync

this is just a simple origin changing

https://portswigger.net/web-security/cors here you can read more about this.

Pretty sure the way sync works, an attacker won't be able to generate a successful ciphertext and hmac payload without access to the local crypto blobs (and if they had those, it'd be game over anyway), and without those the request won't be processed, and that on its own is already enough to make this safe. I also expect that Firefox will not send the hawk Authorization request header without the website setting one (and again, it doesn't have the credentials). So I very much doubt this is valid.

But hopefully Mark can confirm that and/or clarify anything I might have misunderstood.

Flags: needinfo?(markh)

Gijs is entirely correct and this is by design. POSTs to this end-point don't come from an origin, but from Firefox itself. If you can explain what actual vulnerability exists here I'm happy to re-open, but I'm confident none exists.

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(markh)
Resolution: --- → INVALID

is i am able for bounty ?

because hackerone offer a big amount of bounty in this vulnerability because the severity of this vulnerability is very high

(In reply to Mohammad Nouman from comment #7)

because hackerone offer a big amount of bounty in this vulnerability because the severity of this vulnerability is very high

I don't doubt that hackerone pays bounties when the vulnerability is serious, but we have already explained in comment #4 and comment #5 that we don't understand how/why you believe your report is a serious vulnerability - or a vulnerability at all, really. If you think we should be paying you a bounty, you would need to show that/why this is a real issue.

Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.